ASP.NET site getting hacked - links appended to aspx files

Question

A friend is asking about their ASP.NET site that has been getting hacked. It's on a hosted server - cheapo hosting.

I haven't seen it myself just yet, but I'm hoping for ideas on where to look once I do.

The symptoms reported are that links, some mangled, are appearing appended to the .ASPX file (aspx/html on the disk).

Before I learned this, I thought it was SQL injection with links getting appended to their poorly written (I've seen that one) "content manager" content. So I don't think that SQL injection could do this.

Anyone else seen this kind of hack?

Answer 1

why wouldn't they just take the entire site over?

Because then you'd notice. The usual aim is to add linkfarming and trojan-loading exploits to a popular site for as long as possible before the admin notices and takes it off-line.

If your actual .aspx files are being appended to, then that's probably a trivial automated attack on an FTP site using stolen passwords. Most commonly today, this happened because a client machine that has been used to connect to the FTP has been hacked and a password-stealing trojan installed.

Check all client machines that have been anywhere near the FTP thoroughly (and reinstall dirty systems completely rather than using today's unreliable anti-virus software to attempt to ‘clean’ them). Then change the password for FTP access (much better: use SFTP. FTP is an insecure pile of crud that no-one should be using in this century).